Skip to content
This repository has been archived by the owner on Jun 1, 2024. It is now read-only.

Last alphas make Trebuchet crash (device unusable) #2555

Closed
pihug12 opened this issue Oct 1, 2017 · 4 comments · Fixed by #2563
Closed

Last alphas make Trebuchet crash (device unusable) #2555

pihug12 opened this issue Oct 1, 2017 · 4 comments · Fixed by #2563
Labels
Crash This issue causes the app to crash. Please also label this issue as `High Priority`. Needs Reproduction This issue needs to be reproduced by another person.

Comments

@pihug12
Copy link

pihug12 commented Oct 1, 2017

Slide version: F-Droid 5.6.5-alpha5 or 5.6.5-alpha6
Android version: 5.1.1 (CM12.1)
Google Play Service: microG Service Core version 0.2.4-105-gf289a13

After installing the last alpha (5 or 6) of Slide, my device is extremely unusable (Trebuchet crash, reboot itself, etc.).

This issue seems pretty similar: TwidereProject/Twidere-Android#963 (september 2017 too)

Removing the app via adb (I can't do it via the UI) solves immediatly the issue:

adb shell
rm -r /data/app/me.ccrama.redditslide-*
rm -r /data/data/me.ccrama.redditslide

Here is a tombstone:

*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'google/cm_tate/tate:5.1.1/LMY49J/90f46b1986:userdebug/test-keys'
Revision: '0'
ABI: 'arm'
pid: 6139, tid: 6157, name: launcher-loader  >>> com.cyanogenmod.trebuchet <<<
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xdeadbaad
Abort message: 'invalid address or address of corrupt block 0x571 passed to dlfree'
    r0 00000000  r1 40231dec  r2 deadbaad  r3 00000000
    r4 00000571  r5 402330d8  r6 4000f000  r7 00000579
    r8 6af1767c  r9 6af1773c  sl 403b42aa  fp 403b42b3
    ip 01000000  sp 6af17628  lr 4020320b  pc 4020320c  cpsr 60030030
    d0  0000000000000000  d1  0000000000000000
    d2  0000000000000000  d3  0000000000000000
    d4  0002aec10002aec1  d5  000000000002aec1
    d6  0000001110000053  d7  0073007000000016
    d8  41dfffff3f800000  d9  c1e0000000000000
    d10 43e0000000000000  d11 c3e0000000000000
    d12 df0000005f000000  d13 0000000000000000
    d14 0000000000000000  d15 0000000000000000
    d16 0000000000000000  d17 0000000000000fff
    d18 0000000000006000  d19 0000000000000000
    d20 0000000000000000  d21 0000000000000000
    d22 0000000000000000  d23 0000000000000000
    d24 0000000000000000  d25 0000000000000000
    d26 0707070703030303  d27 0100000002000000
    d28 0000000000000000  d29 0000000000000001
    d30 0000000000000000  d31 0000000000000000
    scr 60000011

backtrace:
    #00 pc 0002920c  /system/lib/libc.so (dlfree+1239)
    #01 pc 0000f363  /system/lib/libc.so (free+10)
    #02 pc 00012b37  /system/lib/libandroidfw.so (_ZN7android13ResStringPool6uninitEv+38)
    #03 pc 00013873  /system/lib/libandroidfw.so (_ZN7android10ResXMLTree6uninitEv+12)
    #04 pc 00013891  /system/lib/libandroidfw.so (_ZN7android10ResXMLTreeD1Ev+4)
    #05 pc 00010557  /system/lib/libandroidfw.so (_ZN7android12AssetManager10getPkgNameEPKc+258)
    #06 pc 000105b9  /system/lib/libandroidfw.so (_ZN7android12AssetManager18getBasePackageNameEj+68)
    #07 pc 0008200f  /system/lib/libandroid_runtime.so
    #08 pc 0028ec2b  /data/dalvik-cache/arm/system@framework@boot.oat

stack:
         6af175e8  000e5000
         6af175ec  8d9a985b
         6af175f0  0800700c
         6af175f4  00000571
         6af175f8  402330d8
         6af175fc  4000f000
         6af17600  00000579
         6af17604  401ec431  /system/lib/libc.so (__libc_fatal_no_abort+16)
         6af17608  40224259  /system/lib/libc.so
         6af1760c  6af1761c
         6af17610  40227a7e  /system/lib/libc.so
         6af17614  4020320b  /system/lib/libc.so (dlfree+1238)
         6af17618  40224259  /system/lib/libc.so
         6af1761c  00000571
         6af17620  40227a7e  /system/lib/libc.so
         6af17624  00000000
    #00  6af17628  6af176cc
         6af1762c  000000c7
         6af17630  00000000
         6af17634  6af17684
         6af17638  6af1767c
         6af1763c  401e9365  /system/lib/libc.so (free+12)
    #01  6af17640  4023323c
         6af17644  403a8b3b  /system/lib/libandroidfw.so (_ZN7android13ResStringPool6uninitEv+42)
    #02  6af17648  6af176a4
         6af1764c  6b35a698
         6af17650  6af17688
         6af17654  403a9877  /system/lib/libandroidfw.so (_ZN7android10ResXMLTree6uninitEv+16)
    #03  6af17658  6af176a4
         6af1765c  403a9895  /system/lib/libandroidfw.so (_ZN7android10ResXMLTreeD1Ev+8)
    #04  6af17660  6af176a4
         6af17664  403a655b  /system/lib/libandroidfw.so (_ZN7android12AssetManager10getPkgNameEPKc+262)
    #05  6af17668  00000001
         6af1766c  5a5a7018
         6af17670  6c0122b4  /data/app/me.ccrama.redditslide-1/base.apk
         6af17674  6af17678
         6af17678  00000008
         6af1767c  6b35a7b8
         6af17680  00000015
         6af17684  6b35a808
         6af17688  6b35a5b0
         6af1768c  00000002
         6af17690  40110d58
         6af17694  40110d58
         6af17698  40110d58
         6af1769c  40110d58
         6af176a0  00000000
         6af176a4  6af176a4
         ........  ........
    #06  6af17738  6af1775c
         6af1773c  6b35a808
         6af17740  00000002
         6af17744  6af1775c
         6af17748  41f3a978
         6af1774c  00000000
         6af17750  00000000
         6af17754  402d1013  /system/lib/libandroid_runtime.so
    #07  6af17758  41f3a978
         6af1775c  6af1777c
         6af17760  0000000c
         6af17764  70cba988  /data/dalvik-cache/arm/system@framework@boot.art
         6af17768  00000002
         6af1776c  7325ec2d  /data/dalvik-cache/arm/system@framework@boot.oat
    #08  6af17770  713a62d0  /data/dalvik-cache/arm/system@framework@boot.art
         6af17774  6af179f4
         6af17778  00000001
         6af1777c  12e0ff10  /dev/ashmem/dalvik-main space (deleted)
         6af17780  0000000b
         6af17784  00000003
         6af17788  00000000
         6af1778c  738af9ed  /data/dalvik-cache/arm/system@framework@boot.oat
         6af17790  7473a018  /dev/ashmem/dalvik-zygote space (deleted)
         6af17794  70cba988  /data/dalvik-cache/arm/system@framework@boot.art
         6af17798  00000002
         6af1779c  00000000
         6af177a0  00000000
         6af177a4  12e0ff10  /dev/ashmem/dalvik-main space (deleted)
         6af177a8  12e0ff10  /dev/ashmem/dalvik-main space (deleted)
         6af177ac  73710b0f  /data/dalvik-cache/arm/system@framework@boot.oat
@ccrama
Copy link
Collaborator

ccrama commented Oct 2, 2017

Unfortunately that doesn't give much information to work with, unless you can get a java stacktrace of the system before it reboots

@The0x539 The0x539 added Crash This issue causes the app to crash. Please also label this issue as `High Priority`. Needs Reproduction This issue needs to be reproduced by another person. labels Oct 2, 2017
@pihug12
Copy link
Author

pihug12 commented Oct 2, 2017

Here is a logcat of the installation of alpha5.1 (the latest one on F-Droid) : https://gist.github.com/anonymous/36bfa9326d313db02f4d4e470a4f7479
My device rebooted before the installation finished.

I don't know how I can provide a proper Java stacktrace.

While comparing the newest commit of Slide and Twidere, i saw something related : "notification channels". I don't know if it's a clue or not.

@ccrama
Copy link
Collaborator

ccrama commented Oct 3, 2017

Honestly that looks a lot like a system crash because of some missing system resources, and not really something I can fix from my end. When was the last update to Trebuchet?

@koko-ng koko-ng mentioned this issue Oct 9, 2017
Closed
@pihug12
Copy link
Author

pihug12 commented Oct 10, 2017

Just find out the related bug report: https://issuetracker.google.com/issues/64434571

Workaround:

If you need to build with 3.0 but are running into this bug you can disable aapt2 using -Pandroid.enableAapt2=false on the command line when doing your build.

Explanation:

CyanogenMod has this function getPkgName (https://github.com/CyanogenMod/android_frameworks_base/blob/cm-13.0/libs/androidfw/AssetManager.cpp). It creates a ResXMLTree on the stack and points it at a buffer from an asset without making a copy. Then it closes the asset before the ResXMLTree is destroyed.

For apps built by aapt, this is benign. However, aapt2 produces UTF-8 string pools, which cause the ResXMLTree's ResStringPool(mStrings)'s mCache to become non-null in ResStringPool::stringAt (https://github.com/CyanogenMod/android_frameworks_base/blob/cm-13.0/libs/androidfw/ResourceTypes.cpp). Then ResStringPool::uninit dereferences mHeader (which is now dangling), and a crash ensues.

This crash shows up in different ways. On one Cyanogen OS device, the launcher crashes when an app built with aapt2 has been installed, but only if the manifest is large (probably due to how deallocation happens for small vs large blobs). On another device, system_server crashes at boot if an aapt2-built app is installed.

@ccrama ccrama mentioned this issue Oct 11, 2017
Closed
@pihug12 pihug12 mentioned this issue Oct 11, 2017
Merged
pihug12 added a commit to pihug12/Slide that referenced this issue Oct 15, 2017
@pihug12
Attempt to fix crash with CyanogenMod (AAPT2) - May resolve Haptic-Ap…
39a7ac8 
…ps#2555
@dmfs dmfs mentioned this issue Dec 3, 2017
Closed
@pihug12 pihug12 mentioned this issue Dec 25, 2017
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Crash This issue causes the app to crash. Please also label this issue as `High Priority`. Needs Reproduction This issue needs to be reproduced by another person.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Attempt to fix crash with CyanogenMod (disable AAPT2) pihug12/Slide
3 participants
@pihug12 @ccrama @The0x539